midway-fatcms 0.0.2 → 0.0.4

package/src/libs/crud-pro/services/CrudProTableMetaService.ts

@@ -1,25 +1,24 @@
 import { CrudProServiceBase } from './CrudProServiceBase';
-import { SqlCfgModel } from '../models/SqlCfgModel';
-import { IExecuteUnsafeQueryCtx, ITableMeta } from '../interfaces';
+import { IExecuteUnsafeQueryCtx, ITableColumn, ITableMeta, ITableMetaQuery } from '../interfaces';
 import { SqlDbType } from '../models/keys';
 // import { pickAndConvertRowsByMix } from '../utils/sqlConvert/convertMix';
 
 class CrudProTableMetaCache {
   private cacheMap: Record<string, ITableMeta> = {};
-  private getCacheKey(sqlCfgModel: SqlCfgModel) {
-    return `${sqlCfgModel.sqlDatabase}:::${sqlCfgModel.sqlSchema}:::${sqlCfgModel.sqlTable}`;
+  private getCacheKey(query: ITableMetaQuery) {
+    return `${query.sqlDatabase}:::${query.sqlSchema}:::${query.sqlDbType}:::${query.sqlTable}`;
   }
-  public getMeta(sqlCfgModel: SqlCfgModel) {
-    const cacheKey = this.getCacheKey(sqlCfgModel);
+  public getMeta(query: ITableMetaQuery) {
+    const cacheKey = this.getCacheKey(query);
     const obj = this.cacheMap[cacheKey];
-    if (obj && obj.expiredTime < Date.now()) {
+    if (obj && obj.expiredTime > Date.now()) {
       return obj;
     }
     return null;
   }
 
-  public setMeta(sqlCfgModel: SqlCfgModel, metaObj: ITableMeta) {
-    const cacheKey = this.getCacheKey(sqlCfgModel);
+  public setMeta(query: ITableMetaQuery, metaObj: ITableMeta) {
+    const cacheKey = this.getCacheKey(query);
     this.cacheMap[cacheKey] = metaObj;
   }
 }
@@ -27,60 +26,166 @@ class CrudProTableMetaCache {
 const metaCache = new CrudProTableMetaCache();
 
 class CrudProTableMetaService extends CrudProServiceBase {
-  async getTableMeta(sqlCfgModel: SqlCfgModel): Promise<ITableMeta> {
-    let obj = metaCache.getMeta(sqlCfgModel);
+  public async getTableMeta(query: ITableMetaQuery): Promise<ITableMeta> {
+    let obj = metaCache.getMeta(query);
     if (!obj) {
-      obj = await this.loadTableMeta(sqlCfgModel);
-      metaCache.setMeta(sqlCfgModel, obj);
+      obj = await this.loadTableMeta(query);
+      metaCache.setMeta(query, obj);
     }
     return obj;
   }
 
-  private async loadTableMeta(sqlCfgModel: SqlCfgModel): Promise<ITableMeta> {
+  private async loadTableMeta(query: ITableMetaQuery): Promise<ITableMeta> {
     const { tableMetaCacheTime } = this.getContextCfg();
 
-    const obj = {
-      expiredTime: Date.now() + tableMetaCacheTime || 1000 * 3600 * 24 * 365,
+    const obj: ITableMeta = {
+      expiredTime: Date.now() + (tableMetaCacheTime || 1000 * 3600 * 24 * 365),
       tableColumns: [],
+      columnDetails: [],
     };
 
     const baseInfo: IExecuteUnsafeQueryCtx = {
-      sqlTable: sqlCfgModel.sqlTable,
-      sqlDatabase: sqlCfgModel.sqlDatabase,
-      sqlDbType: sqlCfgModel.sqlDbType,
+      sqlTable: query.sqlTable,
+      sqlDatabase: query.sqlDatabase,
+      sqlDbType: query.sqlDbType,
     };
 
-    obj.tableColumns = await this.loadTableColumnInfo(baseInfo);
+    obj.columnDetails = await this.loadTableColumnDetails(baseInfo);
+    obj.tableColumns = obj.columnDetails.map(col => col.name);
 
     return obj;
   }
 
-  private async loadTableColumnInfo(baseInfo: IExecuteUnsafeQueryCtx): Promise<string[]> {
+  private async loadTableColumnDetails(baseInfo: IExecuteUnsafeQueryCtx): Promise<ITableColumn[]> {
     if (baseInfo.sqlDbType === SqlDbType.mysql) {
-      const queryRes = await this.executeUnsafeQuery(baseInfo, 'describe ' + baseInfo.sqlTable);
-      const tableDescribe = queryRes.rows || []; //pickAndConvertRowsByMix(queryRes, baseInfo.sqlDbType);
-      const tableDescribe2 = JSON.parse(JSON.stringify(tableDescribe));
-      return tableDescribe2.map(fieldObj => {
-        return fieldObj['Field'];
-      });
+      return this.loadMySQLColumnDetails(baseInfo);
     } else if (baseInfo.sqlDbType === SqlDbType.postgres) {
-      const schemaname = 'public';
-      const columnArraySql = `
-      SELECT
-        *
-        FROM information_schema.columns
-        WHERE table_schema = '${schemaname}' and table_name = '${baseInfo.sqlTable}'
-        ORDER BY ordinal_position;
-      `.trim();
-      const queryRes = await this.executeUnsafeQuery(baseInfo, columnArraySql);
-      const tableDescribe = queryRes.rows || [];
-      return tableDescribe.map(fieldObj => {
-        return fieldObj['column_name'];
-      });
+      return this.loadPostgreSQLColumnDetails(baseInfo);
+    } else if (baseInfo.sqlDbType === SqlDbType.sqlserver) {
+      return this.loadSQLServerColumnDetails(baseInfo);
     }
 
     throw new Error('暂不支持的数据库类型：' + baseInfo.sqlDbType);
   }
+
+  private async loadMySQLColumnDetails(baseInfo: IExecuteUnsafeQueryCtx): Promise<ITableColumn[]> {
+    const queryRes = await this.executeUnsafeQuery(baseInfo, 'DESCRIBE ' + baseInfo.sqlTable);
+    const tableDescribe = queryRes.rows || [];
+
+    return tableDescribe.map((fieldObj: any) => {
+      const { Field, Type, Null, Key, Default, Extra } = fieldObj;
+      return {
+        name: Field,
+        type: Type,
+        isNullable: Null === 'YES',
+        isPrimaryKey: Key === 'PRI',
+        defaultValue: Default,
+        comment: Extra,
+      };
+    });
+  }
+
+  private async loadPostgreSQLColumnDetails(baseInfo: IExecuteUnsafeQueryCtx): Promise<ITableColumn[]> {
+    const schemaname = baseInfo.sqlSchema || 'public';
+
+    // 获取列基本信息
+    const columnArraySql = `
+      SELECT
+        column_name,
+        data_type,
+        is_nullable,
+        column_default,
+        character_maximum_length
+      FROM information_schema.columns
+      WHERE table_schema = '${schemaname}' AND table_name = '${baseInfo.sqlTable}'
+      ORDER BY ordinal_position;
+    `.trim();
+
+    const queryRes = await this.executeUnsafeQuery(baseInfo, columnArraySql);
+    const columnArray = queryRes.rows || [];
+
+    // 获取字段注释
+    const commentMap = await this.loadPostgreSQLColumnComments(baseInfo, schemaname);
+
+    return columnArray.map((columnObj: any) => {
+      const { column_name, data_type, is_nullable, column_default, character_maximum_length } = columnObj;
+      return {
+        name: column_name,
+        type: data_type,
+        isNullable: is_nullable === 'YES',
+        defaultValue: column_default,
+        maxLength: character_maximum_length,
+        comment: commentMap[column_name],
+      };
+    });
+  }
+
+  private async loadPostgreSQLColumnComments(
+    baseInfo: IExecuteUnsafeQueryCtx,
+    schemaname: string
+  ): Promise<Record<string, string>> {
+    const commentArraySql = `
+      SELECT
+        a.attname AS column_name,
+        d.description AS column_comment
+      FROM pg_class c
+      JOIN pg_namespace n ON c.relnamespace = n.oid
+      JOIN pg_attribute a ON c.oid = a.attrelid
+      LEFT JOIN pg_description d ON c.oid = d.objoid AND a.attnum = d.objsubid
+      WHERE n.nspname = '${schemaname}'
+        AND c.relname = '${baseInfo.sqlTable}'
+        AND a.attnum > 0
+      ORDER BY a.attnum;
+    `.trim();
+
+    const queryRes = await this.executeUnsafeQuery(baseInfo, commentArraySql);
+    const commentArray = queryRes.rows || [];
+
+    const map: Record<string, string> = {};
+    commentArray.forEach((commentObj: any) => {
+      const { column_name, column_comment } = commentObj;
+      map[column_name] = column_comment || '';
+    });
+
+    return map;
+  }
+
+  private async loadSQLServerColumnDetails(baseInfo: IExecuteUnsafeQueryCtx): Promise<ITableColumn[]> {
+    const columnArraySql = `
+      SELECT
+        c.name AS column_name,
+        t.name AS data_type,
+        c.max_length,
+        c.precision,
+        c.scale,
+        c.is_nullable,
+        c.is_identity,
+        dc.definition AS column_default,
+        ep.value AS column_comment
+      FROM sys.columns c
+      JOIN sys.types t ON c.user_type_id = t.user_type_id
+      LEFT JOIN sys.default_constraints dc ON c.default_object_id = dc.object_id
+      LEFT JOIN sys.extended_properties ep ON c.object_id = ep.major_id AND c.column_id = ep.minor_id
+      WHERE c.object_id = OBJECT_ID('${baseInfo.sqlTable}')
+      ORDER BY c.column_id;
+    `.trim();
+
+    const queryRes = await this.executeUnsafeQuery(baseInfo, columnArraySql);
+    const columnArray = queryRes.rows || [];
+
+    return columnArray.map((columnObj: any) => {
+      const { column_name, data_type, is_nullable, column_default, column_comment, max_length, is_identity } = columnObj;
+      return {
+        name: column_name,
+        type: data_type,
+        isNullable: is_nullable,
+        defaultValue: column_default,
+        comment: column_comment,
+        maxLength: max_length,
+        isPrimaryKey: is_identity,
+      };
+    });
+  }
 }
 
 export { CrudProTableMetaService };

package/src/libs/crud-pro/services/CurdProServiceHub.ts

@@ -1,4 +1,4 @@
-import { IFuncCfgModel, IRequestCfgModel, ITableMeta } from '../interfaces';
+import { IFuncCfgModel, IRequestCfgModel, ISqlCfgModel, ITableMeta, ITableMetaQuery } from '../interfaces';
 import { RequestModel } from '../models/RequestModel';
 import { CrudProFieldValidateService } from './CrudProFieldValidateService';
 import { CrudProFieldUpdateService } from './CrudProFieldUpdateService';
@@ -13,6 +13,7 @@ import { ICurdProServiceHub } from '../models/ServiceHub';
 import { FuncContext } from '../models/FuncContext';
 import { CrudProExecuteFuncService } from './CrudProExecuteFuncService';
 import { CrudProTableMetaService } from './CrudProTableMetaService';
+import { CrudProDataFilterService } from './CrudProDataFilterService';
 
 class CurdProServiceHub implements ICurdProServiceHub {
   private readonly executeContext: ExecuteContext;
@@ -25,6 +26,7 @@ class CurdProServiceHub implements ICurdProServiceHub {
   private readonly originToExecuteSql: CrudProOriginToExecuteSql;
   private readonly executeFuncService: CrudProExecuteFuncService;
   private readonly tableMetaService: CrudProTableMetaService;
+  private readonly dataFilterService: CrudProDataFilterService;
 
   constructor(executeContext: ExecuteContext) {
     this.executeContext = executeContext;
@@ -36,6 +38,7 @@ class CurdProServiceHub implements ICurdProServiceHub {
     this.originToExecuteSql = new CrudProOriginToExecuteSql(this);
     this.executeFuncService = new CrudProExecuteFuncService(this);
     this.tableMetaService = new CrudProTableMetaService(this);
+    this.dataFilterService = new CrudProDataFilterService(this);
   }
 
   getExecuteContext(): ExecuteContext {
@@ -84,8 +87,12 @@ class CurdProServiceHub implements ICurdProServiceHub {
     return this.executeFuncService.executeFuncCfg(funCfg, funcContext);
   }
 
-  async getTableMeta(sqlCfgModel: SqlCfgModel): Promise<ITableMeta> {
-    return await this.tableMetaService.getTableMeta(sqlCfgModel);
+  async getTableMeta(query: ITableMetaQuery): Promise<ITableMeta> {
+    return await this.tableMetaService.getTableMeta(query);
+  }
+
+  async filterDataByTableMeta(data: Record<string, any>, sqlCfgModel: ISqlCfgModel | SqlCfgModel): Promise<Record<string, any>> {
+    return await this.dataFilterService.filterDataByTableMeta(data, sqlCfgModel);
   }
 }
 

package/src/libs/crud-pro/utils/MixinUtils.ts

@@ -201,9 +201,19 @@ const MixinUtils = {
       return;
     }
 
+    if (Array.isArray(obj)) {
+      const collection = obj;
+      for (let i = 0; i < collection.length; i++) {
+        const value = collection[i];
+        const curKeyPath = keyPath + '[' + i + ']';
+        objTravelCallback(value, null, i, curKeyPath);
+        MixinUtils.deepTravelObject(value, objTravelCallback, curKeyPath);
+      }
+      return;
+    }
+
     if (typeof obj === 'object') {
       const keys = Object.keys(obj);
-
       for (let i = 0; i < keys.length; i++) {
         const objKey = keys[i];
         const keyStr = objKey;
@@ -214,15 +224,6 @@ const MixinUtils = {
       }
     }
 
-    if (Array.isArray(obj)) {
-      const collection = obj;
-      for (let i = 0; i < collection.length; i++) {
-        const value = collection[i];
-        const curKeyPath = keyPath + '[' + i + ']';
-        objTravelCallback(value, null, i, curKeyPath);
-        MixinUtils.deepTravelObject(value, objTravelCallback, curKeyPath);
-      }
-    }
   },
   removeEmptyAttrs(obj: any): any {
     const result = {};

package/src/middleware/forbidden.middleware.ts

@@ -8,7 +8,11 @@ const BLACK_EQUAL_LIST = [
   '/config.json',
   '/backend/.env',
   '/.env',
+  '/.env.dev',
+  '/.env.prod',
   '/.env.local',
+  '/.env.staging',
+  '/.env.example',
   '/.env.production',
   '/.env.development',
   '/application.yml',
@@ -18,6 +22,7 @@ const BLACK_EQUAL_LIST = [
   '/config.yml',
   '/db.ini',
   '/database.yml',
+  '/api/.env',
   // 安全相关文件
   '/.well-known/security.txt',
   '/security.txt',
@@ -163,7 +168,7 @@ const SUSPICIOUS_USER_AGENTS = [
 
 /**
  * 安全防护中间件 - 黑名单路径拦截
- * 
+ *
  * 核心职责：
  * 1. 防御恶意爬虫：拦截常见的配置文件探测请求（.env、config.json等）
  * 2. 防御漏洞扫描：阻止安全扫描工具对敏感目录的探测（.git、.aws等）
@@ -171,13 +176,13 @@ const SUSPICIOUS_USER_AGENTS = [
  * 4. 防御路径遍历：检测并阻止 ../ 等路径遍历攻击尝试
  * 5. 识别攻击工具：检测User-Agent中的sqlmap、nikto等渗透测试工具
  * 6. 性能优化：提前拦截无效请求，避免进入业务逻辑层消耗资源
- * 
+ *
  * 应用场景：
  * - 公网暴露的Web应用：防止自动化工具批量扫描敏感路径
  * - 云原生部署环境：保护云服务配置文件不被探测（.aws、.env等）
  * - 多技术栈迁移：新系统可能残留旧技术栈痕迹，统一拦截避免误暴露
  * - 安全合规要求：主动防御已知的常见攻击路径，降低安全风险
- * 
+ *
  * 拦截策略：
  * - User-Agent检测：识别常见扫描工具（sqlmap, nikto, nmap, metasploit等）
  * - 路径遍历检测：阻止 ../, ..\, %2e%2e%2f 等编码后的遍历尝试
@@ -185,13 +190,13 @@ const SUSPICIOUS_USER_AGENTS = [
  * - 前缀匹配：.git/、.svn/、.aws/等版本控制和云服务目录
  * - 模糊匹配：wp-admin、wp-content等WordPress相关路径
  * - 后缀匹配：.php/.jsp/.asp等脚本文件、.bak/.sql等敏感文件
- * 
+ *
  * 防御能力增强：
  * - 支持30+种敏感配置文件拦截
  * - 支持50+种敏感目录前缀拦截
  * - 支持40+种危险文件后缀拦截
  * - 支持10+种常见攻击工具识别
- * 
+ *
  * 注意事项：
  * 此中间件拦截的路径在实际项目中并不存在，仅为安全防护层。
  * 被拦截的请求会立即返回404，不会进入后续业务逻辑。
@@ -288,8 +293,13 @@ export class ForbiddenMiddleware implements IMiddleware<Context, NextFunction> {
    * 检查是否包含路径遍历政击特征
    */
   private hasPathTraversal(path: string): boolean {
-    const decodedPath = decodeURIComponent(path);
-    return SUSPICIOUS_QUERY_PATTERNS.some(pattern => decodedPath.includes(pattern));
+    try {
+      const decodedPath = decodeURIComponent(path);
+      return SUSPICIOUS_QUERY_PATTERNS.some(pattern => decodedPath.includes(pattern));
+    } catch (e) {
+      // URL解码失败（如包含非法编码字符），直接判定为可疑请求
+      return true;
+    }
   }
 
   /**

package/src/middleware/global.middleware.ts

@@ -77,7 +77,7 @@ function handleNullRes(res: any): ICommonResult {
  * @param res
  */
 function handleArrayRes(res: any): ICommonResult {
-  if (Array.isArray(res) && res.length) {
+  if (Array.isArray(res)) {
     return { success: true, data: res };
   }
   return res;

package/src/models/SystemEntities.ts

@@ -79,6 +79,7 @@ export enum ProxyUserContextEnum {
   NO_PASS = 0,
   BASIC_INFO = 1,
   SESSION_INFO = 2,
+  BASIC_INFO_BIZ_EXT = 3,
 }
 
 export interface IProxyApiEntity extends IApiBaseEntity {

package/src/service/AuthService.ts

@@ -178,6 +178,9 @@ export class AuthService extends BaseService {
       if (!isEnableSuperAdmin(this.ctx)) {
         return null;
       }
+      if(!Array.isArray(superAdminList)) {
+        return null;
+      }
       return superAdminList.find((s)=>{
         return s.login_name === loginName;
       })

package/src/service/base/BaseService.ts

@@ -112,6 +112,11 @@ export class BaseService {
     this.getContextLogger().debug(msg, ...args);
   }
 
+  protected isProdEnv(): boolean {
+    const env = this.ctx.app.env;
+    return env === 'prod' || env === 'production';
+  }
+
   protected isLocalEnv(): boolean {
     return isLocalEnv(this.ctx);
   }

package/src/service/crudstd/CrudStdService.ts

@@ -95,11 +95,12 @@ export class CrudStdService extends ApiBaseService {
   public async executeStdQuery(stdAction: ICrudStdActionParams, params: IRequestModelCrudProExt, sqlSimpleName: KeysOfSimpleSQL): Promise<ExecuteContext> {
     const appCode = stdAction.appCode;
     const appInfo = await this.getParsedCrudStdAppForSettingKey(stdAction);
-    const stdCrudCfgObj = appInfo.stdCrudCfgObj;
 
     if (!appInfo || appInfo.status !== 1) {
       throw new BizException('应用不存在或已下线：' + appCode);
     }
+    
+    const stdCrudCfgObj = appInfo.stdCrudCfgObj;
 
     //删除策略
     const deleteStrategy = _.get(stdCrudCfgObj, 'othersSetting.values.deleteStrategy');

package/src/service/proxyapi/ProxyApiService.ts

@@ -46,7 +46,8 @@ export class ProxyApiService extends ApiBaseService {
     if (!cfgInfo) {
       throw new BizException('路径配置没有匹配到', Exceptions.CFG_NOT_FOUND);
     }
-    return this._handleProxyRequestForCfg(cfgInfo, upstream_path);
+    const proxyApiEntity: IProxyApiEntity = JSON.parse(JSON.stringify(cfgInfo));
+    return this._handleProxyRequestForCfg(proxyApiEntity, upstream_path);
   }
 
   /**
@@ -286,6 +287,7 @@ export class ProxyApiService extends ApiBaseService {
       const workbenchCode = this.ctx.workbenchInfo?.workbench_code;
       const userBasicInfo: any = { isLogin };
       if (sessionInfo && isLogin) {
+        userBasicInfo.nickName = sessionInfo.nickName;
         userBasicInfo.loginName = sessionInfo.loginName;
         userBasicInfo.sessionId = sessionInfo.sessionId;
         userBasicInfo.accountId = sessionInfo.accountId;
@@ -296,6 +298,25 @@ export class ProxyApiService extends ApiBaseService {
       return toBase64(userBasicInfo);
     }
 
+    // 传递用户基本信息和BizExt
+    if (proxyApiEntity.user_context === ProxyUserContextEnum.BASIC_INFO_BIZ_EXT) {
+      const isLogin = this.ctx.userSession.isLogin();
+      const sessionInfo = this.ctx.userSession.getSessionInfo();
+      const workbenchCode = this.ctx.workbenchInfo?.workbench_code;
+      const userBasicInfo: any = { isLogin };
+      if (sessionInfo && isLogin) {
+        userBasicInfo.nickName = sessionInfo.nickName;
+        userBasicInfo.loginName = sessionInfo.loginName;
+        userBasicInfo.sessionId = sessionInfo.sessionId;
+        userBasicInfo.accountId = sessionInfo.accountId;
+        userBasicInfo.workbenchCode = sessionInfo.workbenchCode;
+        userBasicInfo.accountType = sessionInfo.accountType;
+        userBasicInfo.bizExt = sessionInfo.bizExt; // 多了一个bizExt
+      }
+      userBasicInfo.workbenchCode = workbenchCode;
+      return toBase64(userBasicInfo);
+    }
+
     return null;
   }
 }

package/src/service/proxyapi/RouteHandler.ts

@@ -1,6 +1,8 @@
+import {IProxyApiEntity} from "@/models/SystemEntities";
+
 class RouteHandler {
-  cfgInfo: any;
-  constructor(cfgInfo: any) {
+  cfgInfo: IProxyApiEntity;
+  constructor(cfgInfo: IProxyApiEntity) {
     this.cfgInfo = cfgInfo;
   }
 }

package/src/service/proxyapi/RouteTrie.ts

@@ -13,7 +13,7 @@ class RouteTrieNode {
 
 class RouteTrie {
   private root: RouteTrieNode;
-  private routeCount: 0;
+  private routeCount: number = 0;
   constructor() {
     this.root = new RouteTrieNode();
     this.routeCount = 0;

package/src/service/proxyapi/WeightedRoundRobin.ts

@@ -7,7 +7,7 @@ interface IUpstreamItemExt extends IUpstreamItem {
 
 class WeightedRoundRobin {
   private readonly totalWeight: number;
-  private servers: IUpstreamItemExt[];
+  private readonly servers: IUpstreamItemExt[];
   constructor(servers: IUpstreamItem[]) {
     this.servers = servers.map(server => ({
       ...server,
@@ -34,6 +34,7 @@ class WeightedRoundRobin {
     // 2. 被选中的服务器减去总权重（实现平滑分配）
     if (selected) {
       selected.currentWeight -= this.totalWeight;
+      selected.currentWeight = Math.max(selected.currentWeight, 0);
       return selected;
     }